2ca208cf7266b2db15b5e79e4239a04e0a22147687af2fb54ccb895b151521ab

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 01:32

Target

2024-02-23_38f0b3476ac60952b71e8be6b066fa3c_cryptolocker.exe
Size

54KB
MD5

38f0b3476ac60952b71e8be6b066fa3c
SHA1

395cbb244ebe169e4a66197e45a1ed775639a0c6
SHA256

2ca208cf7266b2db15b5e79e4239a04e0a22147687af2fb54ccb895b151521ab
SHA512

ae306abad238f4cf6cf9a35cdc1d0e0da15a2b1b55bcf650138dcdd4ef64d8540d00efeb27125522e23948ae5b5b0f65ad976f684dd55bb784894d190e1e8c0d
SSDEEP

768:79inqyNR/QtOOtEvwDpjBK/iVTab3GRuv3VylSV/CdvmLU:79mqyNhQMOtEvwDpjBPY7xv3g8emLU

Score

9^/10

Detection of CryptoLocker Variants 4 IoCs

resource	yara_rule
behavioral1/memory/2000-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/memory/2000-14-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2
behavioral1/files/0x000a0000000143fa-11.dat	CryptoLocker_rule2
behavioral1/memory/3024-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_rule2

Detection of Cryptolocker Samples 4 IoCs

resource	yara_rule
behavioral1/memory/2000-0-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/memory/2000-14-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1
behavioral1/files/0x000a0000000143fa-11.dat	CryptoLocker_set1
behavioral1/memory/3024-16-0x0000000000500000-0x000000000050F000-memory.dmp	CryptoLocker_set1

Executes dropped EXE 1 IoCs

pid	Process
3024	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
2000	2024-02-23_38f0b3476ac60952b71e8be6b066fa3c_cryptolocker.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 3024	2000	2024-02-23_38f0b3476ac60952b71e8be6b066fa3c_cryptolocker.exe	28
PID 2000 wrote to memory of 3024	2000	2024-02-23_38f0b3476ac60952b71e8be6b066fa3c_cryptolocker.exe	28
PID 2000 wrote to memory of 3024	2000	2024-02-23_38f0b3476ac60952b71e8be6b066fa3c_cryptolocker.exe	28
PID 2000 wrote to memory of 3024	2000	2024-02-23_38f0b3476ac60952b71e8be6b066fa3c_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-23_38f0b3476ac60952b71e8be6b066fa3c_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_38f0b3476ac60952b71e8be6b066fa3c_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:3024

\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
54KB

MD5
a9791b4b0da4353ef806e2ee85139a4f

SHA1
813a64986fd9e037f8355461f173889bc59a8784

SHA256
61b4ded97b1e9c4138fc031154b96e5cf205780b68aee600d851839f3c49c6de

SHA512
ae9368372cd3a4dec950fd74e7c0d161752f10e17db61d736765747636cbc51ce286a44f1f0bda6b43c452c28ed157c468d67b04edfe7bdf0ea3b08258c3d2d0

Download Submit
memory/2000-0-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2000-1-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2000-2-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2000-3-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2000-14-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3024-16-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/3024-18-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download